Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
auppal
Staff
Staff

Created on ‎10-24-2024 10:41 AM Edited on ‎10-24-2024 10:41 AM By Moderator

Article Id 351245

Technical Tip: Troubleshooting DDNS Update Override where FortiGate is a DHCP server

Description

 

This article describes various troubleshooting steps that can be taken to fix an issue where configuring FortiGate as DHCP server to do the DDNS update on a DNS server does not work as expected.

 

Scope

 

FortiGate.

 

Solution

 

  1. Check if the FortiGate is receiving the DHCP Request with the option: (81) Client Fully Qualified Domain Name. This can be checked by taking a packet capture on the FortiGate GUI or CLI on the interface where the DHCP client is connected. 
    To take packet capture, refer to this article.
  2. In Option 81, the 'S' bit in the flag field must be set to 1 if the Client wants the server to perform the DNS update.

See this document.

Option: (81) Client Fully Qualified Domain Name
Length: 16
Flags: 0x00
0000 .... = Reserved flags: 0x0
.... 0... = Server DDNS: Some server updates
.... .0.. = Encoding: ASCII encoding
.... ..0. = Server overrides: No override
.... ...0 = Server: Client  <--S bit
A-RR result: 0
PTR-RR result: 0
Client name: AB81-xxxx


The format of the 1-octet Flags field is:

0 1 2 3 4 5 6 7
+-+-+-+-+-+-+-+-+
| MBZ |N|E|O|S|
+-+-+-+-+-+-+-+-+

 

  1. If the S bit is not set, then:
    1. The client is going to perform the update, OR:
    2. The server will inform the client in DHCP ACK that the server will perform the DNS update.

 

 

 

  1. Check DHCP ACK from the DHCP server and see if the 'S' bit is set to '1'. If 'S' bit is set in Option 81 of DHCP ACK, the DHCP server is responsible for performing the Dynamic DNS update on the DNS server.


See this document.

 

  1. Check dhcps debugs on the FortiGate and look for DHCP ACK from the DHCP server (FortiGate interface).


Based on the 'S' bit, the FortiGate should determine that it has to update the DNS server with an A record. The following debugs can be expected in that case.

2024-10-17 15:02:04 [debug][dhcpd_ddns_update:1626] DHCP server will be sending a DDNS update with an ID 954 for DHCP client, 6c:4b:90:xx:xx:xx.
2024-10-17 15:02:04 [note]DHCPACK on 10.130.51.60 to 6c:4b:90:xx:xx:xx via lan1(ethernet)

 

DHCPS Debugs - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Diagnosing-DHCP-on-a-FortiGate/ta-p/192960

 

  1. Check DNS traffic in the sniffer taken on FortiGate’s interface where DNS server is connected. The FortiGate should generate Dynamic DNS Update and send it to the DNS server. If the update is successful, Dynamic DNS Update Response is seen from the DNS server. The following is an example for a successful DNS update where 10.0.0.1 is FortiGate’s interface and 10.0.0.56 is the DNS server.

 

 

  2024-10-09 10:48:22.633701  10.0.0.1  10.0.0.56  DNS  156              Dynamic update 0x000d SOA example.com A A 10.0.56.2
  2024-10-09 10:48:22.634712  10.0.0.56  10.0.0.1  DNS  156              Dynamic update response 0x000d SOA example.com A A 10.0.56.2

See this article for instructions on packet capture.

Related document:
Technical Tip: Configure DDNS update override in FortiGate DHCP server

 

560
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.